Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elasticsearch/audit fileset fails with grok failure #10035

Closed
ycombinator opened this issue Jan 12, 2019 · 1 comment
Closed

Elasticsearch/audit fileset fails with grok failure #10035

ycombinator opened this issue Jan 12, 2019 · 1 comment
Assignees
@ycombinator
Labels
bug Feature:Stack Monitoring Filebeat Filebeat module

Comments

@ycombinator
Copy link
Contributor

ycombinator commented Jan 12, 2019
edited
Loading

Observed on master.

The elasticsearch/audit fileset does not know how to parse the following log line:

[2019-01-08T14:15:02,011] [NodeName-0] [transport] [access_granted]     origin_type=[transport], origin_address=[192.168.2.1], principal=[username], realm=[active_directory], roles=[kibana_user,my_custom_role_1,foo_reader], action=[indices:data/read/search[free_context]], indices=[foo-2019.01.04,foo-2019.01.03,foo-2019.01.06,foo-2019.01.05,foo-2019.01.08,servicelog-2019.01.07], request=[SearchFreeContextRequest]

It fails with the following error:

Provided Grok expressions do not match field value: [[2019-01-08T14:15:02,011] [NodeName-0] [transport] [access_granted]     origin_type=[transport], origin_address=[192.168.2.1], principal=[username], realm=[active_directory], roles=[kibana_user,my_custom_role_1,foo_reader], action=[indices:data/read/search[free_context]], indices=[foo-2019.01.04,foo-2019.01.03,foo-2019.01.06,foo-2019.01.05,foo-2019.01.08,servicelog-2019.01.07], request=[SearchFreeContextRequest]]
@ycombinator ycombinator self-assigned this Jan 12, 2019
@ycombinator ycombinator changed the title Elasticsearch/audit fileset should handle indices field in log Elasticsearch/audit fileset should handle indices and roles fields in log Jan 12, 2019
@ycombinator ycombinator changed the title Elasticsearch/audit fileset should handle indices and roles fields in log Elasticsearch/audit fileset should handle more fields in log Jan 12, 2019
@ycombinator ycombinator changed the title Elasticsearch/audit fileset should handle more fields in log Elasticsearch/audit fileset fails with grok failure Jan 16, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/stack-monitoring

@ycombinator ycombinator mentioned this issue Jan 16, 2019
Merged
ycombinator added a commit that referenced this issue Jan 18, 2019
@ycombinator
Elasticsearch/audit fileset should be more lenient in parsing node na…
93851c2 
…me (#10135)

Resolves #10035.

This PR:

* Uses `DATA` instead of `WORD` in the grok pattern for parsing out `elasticsearch.node.name`,
* Breaks out the grok pattern into pattern definitions to increase readability
* Removes a redundant `?` after a `*` in the grok pattern (between `elasticsearch.audit.action` and `elasticsearch.audit.uri`), and
* Properly reindents the pipeline JSON (so you might want to view the diff with `?w=1` appended to the URL)
@ycombinator ycombinator mentioned this issue Jan 18, 2019
Merged
ycombinator added a commit that referenced this issue Jan 21, 2019
@ycombinator
Cherry-pick #10135 to 6.x: Elasticsearch/audit fileset should be more…
bdd8c49 
… lenient in parsing node name (#10174)

Cherry-pick of PR #10135 to 6.x branch. Original message: 

Resolves #10035.

This PR:

* Uses `DATA` instead of `WORD` in the grok pattern for parsing out `elasticsearch.node.name`,
* Breaks out the grok pattern into pattern definitions to increase readability
* Removes a redundant `?` after a `*` in the grok pattern (between `elasticsearch.audit.action` and `elasticsearch.audit.uri`), and
* Properly reindents the pipeline JSON (so you might want to view the diff with `?w=1` appended to the URL)
@ycombinator ycombinator mentioned this issue Jan 31, 2019
Merged
ycombinator added a commit that referenced this issue Feb 1, 2019
@ycombinator
Cherry-pick #10135 to 6.6: Elasticsearch/audit fileset should be more…
148c283 
… lenient in parsing node name (#10465)

Cherry-pick of PR #10135 to 6.6 branch. Original message: 

Resolves #10035.

This PR:

* Uses `DATA` instead of `WORD` in the grok pattern for parsing out `elasticsearch.node.name`,
* Breaks out the grok pattern into pattern definitions to increase readability
* Removes a redundant `?` after a `*` in the grok pattern (between `elasticsearch.audit.action` and `elasticsearch.audit.uri`), and
* Properly reindents the pipeline JSON (so you might want to view the diff with `?w=1` appended to the URL)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@ycombinator
Cherry-pick elastic#10135 to 6.6: Elasticsearch/audit fileset should …
1f7a366 
…be more lenient in parsing node name (elastic#10465)

Cherry-pick of PR elastic#10135 to 6.6 branch. Original message: 

Resolves elastic#10035.

This PR:

* Uses `DATA` instead of `WORD` in the grok pattern for parsing out `elasticsearch.node.name`,
* Breaks out the grok pattern into pattern definitions to increase readability
* Removes a redundant `?` after a `*` in the grok pattern (between `elasticsearch.audit.action` and `elasticsearch.audit.uri`), and
* Properly reindents the pipeline JSON (so you might want to view the diff with `?w=1` appended to the URL)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ycombinator ycombinator

Labels
bug Feature:Stack Monitoring Filebeat Filebeat module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ycombinator @elasticmachine